feat: 增加工作流和知识库三级权限
- 抽取统一资源访问骨架与部门可见范围判断 - 接入工作流和知识库的 READ/MANAGE 权限校验 - 增加可见范围配置与只读态前端交互
This commit is contained in:
@@ -0,0 +1,12 @@
|
||||
package tech.easyflow.system.service;
|
||||
|
||||
import tech.easyflow.system.enums.CategoryResourceType;
|
||||
import tech.easyflow.system.enums.ResourceAction;
|
||||
import tech.easyflow.system.permission.resource.VisibilityResource;
|
||||
|
||||
public interface ResourceAccessService {
|
||||
|
||||
boolean canAccess(CategoryResourceType resourceType, VisibilityResource resource, ResourceAction action);
|
||||
|
||||
void assertAccess(CategoryResourceType resourceType, VisibilityResource resource, ResourceAction action, String message);
|
||||
}
|
||||
@@ -3,6 +3,9 @@ package tech.easyflow.system.service;
|
||||
import tech.easyflow.system.entity.SysDept;
|
||||
import com.mybatisflex.core.service.IService;
|
||||
|
||||
import java.math.BigInteger;
|
||||
import java.util.Set;
|
||||
|
||||
/**
|
||||
* 部门表 服务层。
|
||||
*
|
||||
@@ -11,4 +14,7 @@ import com.mybatisflex.core.service.IService;
|
||||
*/
|
||||
public interface SysDeptService extends IService<SysDept> {
|
||||
|
||||
Set<BigInteger> getSelfAndAncestorDeptIds(BigInteger currentDeptId);
|
||||
|
||||
boolean canUserAccessDeptScopedResource(BigInteger currentDeptId, BigInteger resourceDeptId);
|
||||
}
|
||||
|
||||
@@ -0,0 +1,65 @@
|
||||
package tech.easyflow.system.service.impl;
|
||||
|
||||
import org.springframework.stereotype.Service;
|
||||
import tech.easyflow.common.entity.LoginAccount;
|
||||
import tech.easyflow.common.satoken.util.SaTokenUtil;
|
||||
import tech.easyflow.common.web.exceptions.BusinessException;
|
||||
import tech.easyflow.system.enums.CategoryResourceType;
|
||||
import tech.easyflow.system.enums.ResourceAction;
|
||||
import tech.easyflow.system.enums.VisibilityScope;
|
||||
import tech.easyflow.system.permission.resource.VisibilityResource;
|
||||
import tech.easyflow.system.service.CategoryPermissionService;
|
||||
import tech.easyflow.system.service.ResourceAccessService;
|
||||
import tech.easyflow.system.service.SysDeptService;
|
||||
|
||||
import javax.annotation.Resource;
|
||||
import java.math.BigInteger;
|
||||
|
||||
@Service
|
||||
public class ResourceAccessServiceImpl implements ResourceAccessService {
|
||||
|
||||
@Resource
|
||||
private CategoryPermissionService categoryPermissionService;
|
||||
|
||||
@Resource
|
||||
private SysDeptService sysDeptService;
|
||||
|
||||
@Override
|
||||
public boolean canAccess(CategoryResourceType resourceType, VisibilityResource resource, ResourceAction action) {
|
||||
if (resource == null) {
|
||||
return false;
|
||||
}
|
||||
LoginAccount loginAccount = SaTokenUtil.getLoginAccount();
|
||||
if (loginAccount == null || loginAccount.getId() == null) {
|
||||
return false;
|
||||
}
|
||||
BigInteger accountId = loginAccount.getId();
|
||||
if (categoryPermissionService.isCurrentSuperAdmin()) {
|
||||
return true;
|
||||
}
|
||||
if (accountId.equals(resource.getCreatedBy())) {
|
||||
return true;
|
||||
}
|
||||
if (ResourceAction.MANAGE == action) {
|
||||
return false;
|
||||
}
|
||||
if (!categoryPermissionService.canAccessCategory(resourceType.getCode(), resource.getCreatedBy(), resource.getCategoryId())) {
|
||||
return false;
|
||||
}
|
||||
VisibilityScope scope = VisibilityScope.fromOrDefault(resource.getVisibilityScope(), VisibilityScope.PRIVATE);
|
||||
if (VisibilityScope.PUBLIC == scope) {
|
||||
return true;
|
||||
}
|
||||
if (VisibilityScope.DEPT == scope) {
|
||||
return sysDeptService.canUserAccessDeptScopedResource(loginAccount.getDeptId(), resource.getDeptId());
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
@Override
|
||||
public void assertAccess(CategoryResourceType resourceType, VisibilityResource resource, ResourceAction action, String message) {
|
||||
if (!canAccess(resourceType, resource, action)) {
|
||||
throw new BusinessException(message == null ? "无权限访问该资源" : message);
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -6,6 +6,11 @@ import tech.easyflow.system.service.SysDeptService;
|
||||
import com.mybatisflex.spring.service.impl.ServiceImpl;
|
||||
import org.springframework.stereotype.Service;
|
||||
|
||||
import java.math.BigInteger;
|
||||
import java.util.Collections;
|
||||
import java.util.LinkedHashSet;
|
||||
import java.util.Set;
|
||||
|
||||
/**
|
||||
* 部门表 服务层实现。
|
||||
*
|
||||
@@ -15,4 +20,39 @@ import org.springframework.stereotype.Service;
|
||||
@Service
|
||||
public class SysDeptServiceImpl extends ServiceImpl<SysDeptMapper, SysDept> implements SysDeptService {
|
||||
|
||||
@Override
|
||||
public Set<BigInteger> getSelfAndAncestorDeptIds(BigInteger currentDeptId) {
|
||||
if (currentDeptId == null) {
|
||||
return Collections.emptySet();
|
||||
}
|
||||
SysDept currentDept = getById(currentDeptId);
|
||||
if (currentDept == null) {
|
||||
return Collections.emptySet();
|
||||
}
|
||||
Set<BigInteger> deptIds = new LinkedHashSet<>();
|
||||
String ancestors = currentDept.getAncestors();
|
||||
if (ancestors != null && !ancestors.isBlank()) {
|
||||
String[] items = ancestors.split(",");
|
||||
for (String item : items) {
|
||||
if (item == null || item.isBlank()) {
|
||||
continue;
|
||||
}
|
||||
BigInteger deptId = new BigInteger(item.trim());
|
||||
if (BigInteger.ZERO.equals(deptId)) {
|
||||
continue;
|
||||
}
|
||||
deptIds.add(deptId);
|
||||
}
|
||||
}
|
||||
deptIds.add(currentDeptId);
|
||||
return deptIds;
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean canUserAccessDeptScopedResource(BigInteger currentDeptId, BigInteger resourceDeptId) {
|
||||
if (currentDeptId == null || resourceDeptId == null) {
|
||||
return false;
|
||||
}
|
||||
return getSelfAndAncestorDeptIds(currentDeptId).contains(resourceDeptId);
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user